SSL was introduced in 1994 and TLS in 1999 in response to growing concerns on the security of data being transmitted over the internet. However, the very protocol that was heralded as the ultimate cyber guard has ironically become an increasingly popular tool for cybercriminals to hide their nefarious acts. SSL encrypted traffic is often not inspected by organizations because it is assumed to come from trusted sources, however, that is no longer the case. While great for privacy, SSL is becoming a significant blind spot for companies as the percentage of encrypted traffic has risen sharply over the years. And, while obtaining the digital certificates for SSL used to require a rigorous vetting process for web sites, they can now be more easily obtained, in some cases, for free. In this bi-annual research update, Zscaler ThreatLabZ examines SSL trends for the latter half of 2017. As the amount of SSL traffic continues to grow, cybercriminals are increasingly using encryption to launch and hide attacks, and free certificates have become an easy disguise for attackers. According to Google’s Transparency Report, during the month of December the percentage of pages loaded over HTTPS in Chrome in the US was nearly 80 percent, while on December 1, 2017, Mozilla reported that 66.5% of all pages loaded on Firefox were using HTTPS. In fact, since July 2017, the amount of SSL encrypted traffic on the Zscaler Cloud has increased by 10% to a total of 70% of all web traffic. Threats in SSL Increase by 30% Further, the Zscaler cloud now blocks an average of 800,000 SSL encrypted transactions per day because they contain advanced threats. This number is a 30% increase in just the last six months; in the first half of 2017, the average was 600,000 threats daily. ThreatLabZ has seen that the SSL encrypted channel continues to be leveraged by the cybercriminals in the full attack cycle starting with the initial delivery vectors like malvertising, compromised sites, phishing pages, and malicious sites hosting the initial loading page; leading to the exploit and/or malware delivery stage – use of SSL to deliver exploit and/or malware payloads; and then to call home activity – many prevalent malware families are using SSL based Command and Control communication protocol. Phishing Site Activity Jumps 300% There was a significant increase, nearly 300%, in phishing attacks delivered over SSL in the Zscaler Cloud in 2017. Malicious content was delivered in various ways, but ThreatLabZ found two patterns more dominant than others. One method uses a phishing page hosted on a legitimate domain that has been compromised to deliver malware. Another method witnessed by our research team leverages newly registered domains with similar but incorrect addresses that are programmed to imitate the web sites of well-known brands. Some of the brands cybercriminals chose to imitate include DocuSign, Microsoft, Apple and Dropbox.
This is a Security Bloggers Network syndicated blog post authored by Naresh.Kumar@zscaler.com. Read the original post at: Research Blog